Research Papers

From Data Privacy Foundation
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search

Contents

2017

Abstract of Returning Control of Data to Users with a Personal Information Crunch.

With the data universe expanding to uncontrollable limits, we are losing control of our personal information. From online purchases to movie streaming, we are giving vendors more and more information, such that our privacy is at stake. Hackers and third-parties can gain access to this information, putting us at risk to a number of attacks. The current model where every online vendor has personal information, such as name, addresses and date of birth should be reconsidered. A user needs to have full or at least more control over their personal data, and who has access to it. This paper presents alternatives to vendors having all of a users personal information and raises many concerns about the current state of play. A simple model is proposed where personal information is stored on the users mobile device, and requested by vendors when needed. Information can then be given in either a private or trusted manor, and encrypted responses can be cached by a relay service. Vendors should only use the data inflight, and never store personal information. This provides the user with data provenance and access control, while providing the vendor with accountability and enhanced security.

Will, M. A., Garae, J., Tan, A. Y. S., Scoon, C., & Ko, R. K. L. (2017). Returning Control of Data to Users with a Personal Information Crunch - A Position Paper. International Conference on Cloud Computing Research and Innovation. {PDF}

Abstract of Anonymous Data sharing Between Organisations with Elliptic Curve Cryptography.

Promoting data sharing between organisations is challenging, without the added concerns over having actions traced. Even with encrypted search capabilities, the entities digital location and downloaded information can be traced, leaking information to the hosting organisation. This is a problem for law enforcement and government agencies, where any information leakage is not acceptable, especially for investigations. Anonymous routing is a technique to stop a host learning which agency is accessing information. Many related works for anonymous routing have been proposed, but are designed for Internet traffic, and are over complicated for internal usage. A streaming design for circuit creation is proposed using elliptic curve cryptography. Allowing for a simple anonymous routing solution, which provides fast performance with source and destination anonymity to other organisations.

Will, M. A., Ko, R. K. L., Schlickmann, S. J. (2017). Anonymous Data sharing Between Organisations with Elliptic Curve Cryptography. Trustcom/BigDataSE/ICESS 2017 {PDF}

Abstract of Secure FPGA as a Service - Towards Secure Data Processing by Physicalizing the Cloud.

Securely processing data in the cloud is still a difficult problem, even with homomorphic encryption and other privacy preserving schemes. Hardware solutions provide additional layers of security and greater performance over their software alternatives. However by definition the cloud should be flexible and adaptive, often viewed as abstracting services from products. By creating services reliant on custom hardware, the core essence of the cloud is lost. FPGAs bridge this gap between software and hardware with programmable logic, allowing the cloud to remain abstract. FPGA as a Service (FaaS) has been proposed for a greener cloud, but not for secure data processing. This paper explores the possibility of Secure FaaS in the cloud for privacy preserving data processing, describes the technologies required, identifies use cases, and highlights potential challenges.

Will, M. A., Ko, R. K. L. (2017). Secure FPGA as a Service - Towards Secure Data Processing by Physicalizing the Cloud. Trustcom/BigDataSE/ICESS 2017 {PDF}

2016

Abstract of The Data Privacy Matrix Project: Towards a Global Alignment of Data Privacy Laws.

Data privacy is an expected right of most citizens around the world but there are many legislative challenges within a boundary-less cloud computing and World Wide Web environment. Despite its importance, there is limited research around data privacy law gaps and alignment, and the legal side of the security ecosystem which seems to be in a constant effort to catch-up. There are already issues within recent history which show a lack of alignment causing a great deal of confusion, an example of this is the ’right to be forgotten’ case which came up in 2014. This case involved a Spanish man against Google Spain. He requested the removal of a link to an article about an auction for his foreclosed home, for a debt that he had subsequently paid. However, misalignment of data privacy laws caused further complications to the case. This paper introduces the Waikato Data Privacy Matrix, our global project for alignment of data privacy laws by focusing on Asia Pacific data privacy laws and their relationships with the European Union and the USA. This will also suggest potential solutions to address some of the issues which may occur when a breach of data privacy occurs, in order to ensure an individual has their data privacy protected across the boundaries in the Web. With the increase in data processing and storage across different jurisdictions and regions (e.g. public cloud computing), the Waikato Data Privacy Matrix empowers businesses using or providing cloud services to understand the different data privacy requirements across the globe, paving the way for increased cloud adoption and usage.

Scoon C., & Ko, R. K. L. (2016). The Data Privacy Matrix Project: Towards a Global Alignment of Data Privacy Laws. In IEEE Trsutcom/BigDataSE/ISPA. 10.1109/TrustCom.2016.0305, {PDF}

2015

Abstract of The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues( pp. 1-14).

This chapter introduces the reader to the initial developments of the cloud computing industry, consolidated cloud-related terminologies, and concepts, and explains the main reasons and causes of the cloud security and privacy concerns.

Ko, R. K. L., & Choo, K. -K. R. (2015). Cloud security ecosystem. In R. Ko, & K. -K. R. Choo (Eds.), The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues (pp. 1-14). Elsevier Inc. doi:10.1016/B978-0-12-801595-7.00001-X

Abstract of the Cloud Security Ecosystem: Technical, Legal, Business and Management Issues (pp. 101-127).

Traditional cryptography techniques require our data to be unencrypted to be processed correctly. This means that at some stage on a system we have no control over, our data will be processed in plaintext. Homomorphic encryption or specifically, fully homomorphic encryption is a viable solution to this problem. It allows encrypted data to be processed as if it were in plaintext and will produce the correct value once decrypted. While many know that homomorphic encryption promises to be an ideal solution to trust, security, and privacy issues in cloud computing, few actually knows how it works and why it is not yet a practical solution despite its promises. This chapter serves as a much needed primer on current homomorphic encryption techniques, discusses about several practical challenges, and introduces workarounds proposed by practitioners and researchers to overcome these challenges.

Will, M. A., & Ko, R. K. L. (2015). A guide to homomorphic encryption. In R. Ko, & K. -K. R. Choo (Eds.), The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues (pp. 101-127). Elsevier Inc. doi:10.1016/B978-0-12-801595-7.00005-7

Abstract of Trust, Security and Privacy in Computing and Communications (pp. 831-839).

One of the most crucial components of modern Information Technology (IT) systems is data. It can be argued that the majority of IT systems are built to collect, store, modify, communicate and use data, enabling different data stakeholders to access and use it to achieve different business objectives. The confidentiality, integrity, availability, auditability, privacy, and quality of the data is of paramount concern for end-users ranging from ordinary consumers to multi-national companies. Over the course of time, different frameworks have been proposed and deployed to provide data security. Many of these previous paradigms were specific to particular domains such as military or media content providers, while in other cases they were generic to different verticals within an industry. There is a much needed push for a holistic approach to data security instead of the current bespoke approaches. The age of the Internet has witnessed an increased ease of sharing data with or without authorisation. These scenarios have created new challenges for traditional data security. In this paper, we study the evolution of data security from the perspective of past proposed frameworks, and present a novel Unified Model for Data Security (UMDS). The discussed UMDS reduces the friction from several cross-domain challenges, and has the functionality to possibly provide comprehensive data security to data owners and privileged users.

Akram, R. N., & Ko, R. K. L. (2015). Unified model for data security - A position paper. In Proc 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (pp. 831-839). Beijing: Institute of Electrical and Electronics Engineers Inc.. doi:10.1109/TrustCom.2014.110, {PDF}

Abstract of Escrow: A Large-Scale Web Vulnerability Assessment Tool

The reliance on Web applications has increased rapidly over the years. At the same time, the quantity and impact of application security vulnerabilities have grown as well. Amongst these vulnerabilities, SQL Injection has been classified as the most common, dangerous and prevalent web application flaw. In this paper, we propose Escrow, a large-scale SQL Injection detection tool with an exploitation module that is light-weight, fast and platform-independent. Escrow uses a custom search implementation together with a static code analysis module to find potential target web applications. Additionally, it provides a simple to use graphical user interface (GUI) to navigate through a vulnerable remote database. Escrow is implementation- agnostic, i.e. it can perform analysis on any web application regardless of the server-side implementation (PHP, ASP, etc.). Using our tool, we discovered that it is indeed possible to identify and exploit at least 100 databases per 100 minutes, without prior knowledge of their underlying implementation. We observed that for each query sent, we can scan and detect dozens of vulnerable web applications in a short space of time, while providing a means for exploitation. Finally, we provide recommendations for developers to defend against SQL injection and emphasis the need for proactive assessment and defensive coding practices

Delamore, B., & Ko, R. K. L. (2015). Escrow: A large-scale web vulnerability assessment tool. In 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (pp. 983-988). Beijing: Institute of Electrical and Electronics Engineers Inc.. doi:10.1109/TrustCom.2014.130, {PDF}

Abstract of Digital Trust - Trusted Computing and Beyond A Position Paper

Along with the invention of computers and interconnected networks, physical societal notions like security, trust, and privacy entered the digital environment. The concept of digital environments begins with the trust (established in the real world) in the organisation/individual that manages the digital resources. This concept evolved to deal with the rapid growth of the Internet, where it became impractical for entities to have prior offline (real world) trust. The evolution of digital trust took diverse approaches and now trust is defined and understood differently across heterogeneous domains. This paper looks at digital trust from the point of view of security and examines how valid trust approaches from other domains are now making their way into secure computing. The paper also revisits and analyses the Trusted Platform Module (TPM) along with associated technologies and their relevance in the changing landscape. We especially focus on the domains of cloud computing, mobile computing and cyber-physical systems. In addition, the paper also explores our proposals that are competing with and extending the traditional functionality of TPM specifications

Akram, R. N., & Ko, R. K. L. (2015). Digital trust - trusted computing and beyond: A position paper. In Proceedings 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (pp. 884-892). Beijing: Institute of Electrical and Electronics Engineers Inc.. doi:10.1109/TrustCom.2014.116, {PDF}

Abstract of Bin Encoding: A User-Centric Secure Full-Text Searching Scheme for the Cloud

Permitting users to search encrypted documents presents cloud storage providers with interesting challenges. Existing solutions target large corporations rather than individual users of the cloud. In order to serve all users, we propose a way of shifting most of the computational complexity from the client to the cloud by building and managing the index there, while ensuring that only the client can access the plaintext. This allows more sophisticated indexing and search ranking schemes to be implemented, including approximate search with multiple errors. Our method uses a many-to-one encoding scheme called "Bin Encoding", and this paper analyses its cryptographic strength against letter-frequency and dictionary attacks.

Will, M., Ko, R. K. L., & Witten, I. (2015). Bin encoding: a user-centric secure full-text search scheme for the Cloud. In Proc 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (pp. 563-570). Helsinki, Finland: IEEE. doi:10.1109/Trustcom.2015.420

Abstract of Trusted Tamper-Evident Data Provenance

Data provenance, the origin and derivation history of data, is commonly used for security auditing, forensics and data analysis. While provenance loggers provide evidence of data changes, the integrity of the provenance logs is also critical for the integrity of the forensics process. However, to our best knowledge, few solutions are able to fully satisfy this trust requirement. In this paper, we propose a framework to enable tamper-evidence and preserve the confidentiality and integrity of data provenance using the Trusted Platform Module (TPM). Our framework also stores provenance logs in trusted and backup servers to guarantee the availability of data provenance. Tampered provenance logs can be discovered and consequently recovered by retrieving the original logs from the servers. Leveraging on TPM's technical capability, our framework guarantees data provenance collected to be admissible, complete, and confidential. More importantly, this framework can be applied to capture tampering evidence in large-scale cloud environments at system, network, and application granularities. We applied our framework to provide tamper-evidence for Progger, a cloud-based, kernel-space logger. Our results demonstrate the ability to conduct remote attestation of Progger logs' integrity, and uphold the completeness, confidential and admissible requirements.

Bany Taha, M., Chaisiri, S., & Ko, R. K. L. (2015). Trusted tamper-evident data provenance. In Proc 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (pp. 646-653). Helsinki, Finland: IEEE. doi:10.1109/Trustcom.2015.430

Abstract of Message from the TSCloud 2014 Symposium Chairs

Presents the introductory welcome message from the conference proceedings. May include the conference officers' congratulations to all involved with the conference event and publication of the proceedings record.

Ko, R. K. L., & Choo, K. -K. R. (2015). Message from the symposium chairs: TSCloud 2014. In Proc 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (pp. xxvi). Beijing, China: Institute of Electrical and Electronics Engineers Inc.. doi:10.1109/TrustCom.2014.147

Abstract of Message from the Workshop Chairs of IEEE TSCloud 2015

Presents the introductory welcome message from the conference proceedings. May include the conference officers' congratulations to all involved with the conference event and publication of the proceedings record.

Ko, R., & Choo, K. K. R. (2015). Message from the workshop chairs of IEEE TSCloud 2015. In Proc 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications Vol. 1 (pp. xxx). Helsinki, Finland: IEEE. doi:10.1109/Trustcom.2015.337

Abstract of Inferring User Actions from Provenance Logs

Progger, a kernel-spaced cloud data provenance logger which provides fine-grained data activity records, was recently developed to empower cloud stakeholders to trace data life cycles within and across clouds. Progger logs have the potential to allow analysts to infer user actions and create a data-centric behaviour history in a cloud computing environment. However, the Progger logs are complex and noisy and therefore, currently this potential can not be met. This paper proposes a statistical approach to efficiently infer the user actions from the Progger logs. Inferring logs which capture activities at kernel-level granularity is not a straightforward endeavour. This paper overcomes this challenge through an approach which shows a high level of accuracy. The key aspects of this approach are identifying the data preprocessing steps and attribute selection. We then use four standard classification models and identify the model which provides the most accurate inference on user actions. To our best knowledge, this is the first work of its kind. We also discuss a number of possible extensions to this work. Possible future applications include the ability to predict an anomalous security activity before it occurs.

Li, X., Joshi, C., Tan, A. Y. S., & Ko, R. K. L. (2015). Inferring user actions from provenance logs. In Proc 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (pp. 742-749). Helsinki, Finland: IEEE. doi:10.1109/Trustcom.2015.442, {PDF}

2014

Abstract of Data Accountability in Cloud Systems

This chapter reviews the definitions, existing techniques and standards in the area of data accountability in cloud computing. It also introduces new research for the accountability, traceability and auditability of data provenance and history and discusses the critical problems of cloud security relating to accountability.

Ko, R. K. L. (2014). Data accountability in Cloud systems. In S. Nepal, & M. Pathan (Eds.), Security, Privacy and Trust in Cloud Systems (pp. 211-238). Germany: Springer-Verlag Berlin Heidelberg. doi:10.1007/978-3-642-38586-5_7

Abstract of TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

Today’s smartphone operating systems frequently fail to provide users with visibility into how third-party applications collect and share their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid enables realtime analysis by leveraging Android’s virtualized execution environment. TaintDroid incurs only 32% performance overhead on a CPU-bound microbenchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, in our 2010 study we found 20 applications potentially misused users’ private information; so did a similar fraction of the tested applications in our 2012 study. Monitoring the flow of privacy-sensitive data with TaintDroid provides valuable input for smartphone users and security service firms seeking to identify misbehaving applications.

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2014. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. ACM Trans. Comput. Syst. 32, 2, Article 5 (June 2014), 29 pages. DOI= [1]

Abstract of Privacy in the digital age: a review of information privacy research in information systems

Information privacy refers to the desire of individuals to control or have some influence over data about themselves. Advances in information technology have raised concerns about information privacy and its impacts, and have motivated Information Systems researchers to explore information privacy issues, including technical solutions to address these concerns. In this paper, we inform researchers about the current state of information privacy research in IS through a critical analysis of the IS literature that considers information privacy as a key construct. The review of the literature reveals that information privacy is a multilevel concept, but rarely studied as such. We also find that information privacy research has been heavily reliant on studentbased and USA-centric samples, which results in findings of limited generalizability.

France Bélanger and Robert E. Crossler. 2011. Privacy in the digital age: a review of information privacy research in information systems. MIS Q. 35, 4 (December 2011), 1017-1042. {URL}

2013

Abstract of A Secure and Trusted Channel Protocol for the User Centric Smart Card Ownership Model

The User Centric Smart Card Ownership Model (UCOM) provides an open and dynamic smart card environment enabling cardholders to request installation/deletion of an application to which they are entitled. As in this model, smart cards are not under the control of a centralised authority; hence, it is difficult for an application provider to ascertain their trustworthiness. At present, proposed secure channel protocols for the smart card environment do not provide adequate assurance required by the UCOM. In this paper, we explore the reasons behind their failure to meet the UCOM requirements and then propose a secure and trusted channel protocol that meets them. In addition, the proposed protocol is also suitable to GlobalPlatform's consumer-centric smart cards. A comparison of the proposed protocol with existing smart card and selected Internet protocols is provided. Then we analyse the protocol with the CasperFDR tool. Finally, we detail the implementation and the performance measurement.

Akram, R. N., Markantonakis, K., & Mayes, K. (2013). A secure and trusted channel protocol for the User Centric Smart Card Ownership Model. In Proc 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (pp. 336-345). Conference held at Melbourne, Australia: IEEE Computer Society. doi:10.1109/trustcom.2013.245

2010

Abstract of Privacy-preserving data publishing: A survey of recent developments

The collection of digital information by governments, corporations, and individuals has created tremendous opportunities for knowledge- and information-based decision making. Driven by mutual benefits, or by regulations that require certain data to be published, there is a demand for the exchange and publication of data among various parties. Data in its original form, however, typically contains sensitive information about individuals, and publishing such data will violate individual privacy. The current practice in data publishing relies mainly on policies and guidelines as to what types of data can be published and on agreements on the use of published data. This approach alone may lead to excessive data distortion or insufficient protection. Privacy-preserving data publishing (PPDP) provides methods and tools for publishing useful information while preserving data privacy. Recently, PPDP has received considerable attention in research communities, and many approaches have been proposed for different data publishing scenarios. In this survey, we will systematically summarize and evaluate different approaches to PPDP, study the challenges in practical data publishing, clarify the differences and requirements that distinguish PPDP from other related problems, and propose future research directions.

Benjamin C. M. Fung, Ke Wang, Rui Chen, and Philip S. Yu. 2010. Privacy-preserving data publishing: A survey of recent developments. ACM Comput. Surv. 42, 4, Article 14 (June 2010), 53 pages. DOI=http://dx.doi.org/10.1145/1749603.1749605

Abstract of Internet of Things–New security and privacy challenges

The Internet of Things, an emerging global Internet-based technical architecture facilitating the exchange of goods and services in global supply chain networks has an impact on the security and privacy of the involved stakeholders. Measures ensuring the architecture's resilience to attacks, data authentication, access control and client privacy need to be established. An adequate legal framework must take the underlying technology into account and would best be established by an international legislator, which is supplemented by the private sector according to specific needs and thereby becomes easily adjustable. The contents of the respective legislation must encompass the right to information, provisions prohibiting or restricting the use of mechanisms of the Internet of Things, rules on IT-security-legislation, provisions supporting the use of mechanisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT.

Rolf H. Weber, Internet of Things – New security and privacy challenges, Computer Law & Security Review, Volume 26, Issue 1, 2010, Pages 23-30, ISSN 0267-3649, https://doi.org/10.1016/j.clsr.2009.11.008.

Abstract of Privacy-preserving data publishing: A survey of recent developments

The collection of digital information by governments, corporations, and individuals has created tremendous opportunities for knowledge- and information-based decision making. Driven by mutual benefits, or by regulations that require certain data to be published, there is a demand for the exchange and publication of data among various parties. Data in its original form, however, typically contains sensitive information about individuals, and publishing such data will violate individual privacy. The current practice in data publishing relies mainly on policies and guidelines as to what types of data can be published and on agreements on the use of published data. This approach alone may lead to excessive data distortion or insufficient protection. Privacy-preserving data publishing (PPDP) provides methods and tools for publishing useful information while preserving data privacy. Recently, PPDP has received considerable attention in research communities, and many approaches have been proposed for different data publishing scenarios. In this survey, we will systematically summarize and evaluate different approaches to PPDP, study the challenges in practical data publishing, clarify the differences and requirements that distinguish PPDP from other related problems, and propose future research directions.

Benjamin C. M. Fung, Ke Wang, Rui Chen, and Philip S. Yu. 2010. Privacy-preserving data publishing: A survey of recent developments. ACM Comput. Surv. 42, 4, Article 14 (June 2010), 53 pages. DOI= 10.1145/1749603.1749605

Abstract of Internet of Things–New security and privacy challenges

The Internet of Things, an emerging global Internet-based technical architecture facilitating the exchange of goods and services in global supply chain networks has an impact on the security and privacy of the involved stakeholders. Measures ensuring the architecture's resilience to attacks, data authentication, access control and client privacy need to be established. An adequate legal framework must take the underlying technology into account and would best be established by an international legislator, which is supplemented by the private sector according to specific needs and thereby becomes easily adjustable. The contents of the respective legislation must encompass the right to information, provisions prohibiting or restricting the use of mechanisms of the Internet of Things, rules on IT-security-legislation, provisions supporting the use of mechanisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT.

Rolf H. Weber, Internet of Things – New security and privacy challenges, Computer Law & Security Review, Volume 26, Issue 1, 2010, Pages 23-30, ISSN 0267-3649. {URL}

2009

Abstract of Broken promises of privacy: Responding to the surprising failure of anonymization

Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques for protecting the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated they can often 'reidentify' or 'deanonymize' individuals hidden in anonymized data with astonishing ease. By understanding this research, we will realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so.

Ohm, P. (2009). Broken promises of privacy: Responding to the surprising failure of anonymization. {PDF}

Abstract of Taking account of privacy when designing cloud computing services

Privacy is an important issue for cloud computing, both in terms of legal compliance and user trust, and needs to be considered at every phase of design. In this paper the privacy challenges that software engineers face when targeting the cloud as their production environment to offer services are assessed, and key design principles to address these are suggested.

Siani Pearson. 2009. Taking account of privacy when designing cloud computing services. In Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing (CLOUD '09). IEEE Computer Society, Washington, DC, USA, 44-52. DOI=10.1109/CLOUD.2009.5071532

Abstract of To join or not to join: the illusion of privacy in social networks with mixed public and private user profiles

In order to address privacy concerns, many social media websites allow users to hide their personal profiles from the public. In this work, we show how an adversary can exploit an online social network with a mixture of public and private user profiles to predict the private attributes of users. We map this problem to a relational classification problem and we propose practical models that use friendship and group membership information (which is often not hidden) to infer sensitive attributes. The key novel idea is that in addition to friendship links, groups can be carriers of significant information. We show that on several well-known social media sites, we can easily and accurately recover the information of private-profile users. To the best of our knowledge, this is the first work that uses link-based and group-based classification to study privacy implications in social networks with mixed public and private user profiles.

Elena Zheleva and Lise Getoor. 2009. To join or not to join: the illusion of privacy in social networks with mixed public and private user profiles. In Proceedings of the 18th international conference on World wide web (WWW '09). ACM, New York, NY, USA, 531-540. DOI=10.1145/1526709.1526781

2008

Abstract of Differential privacy: A survey of results

Over the past five years a new approach to privacy-preserving data analysis has born fruit. This approach differs from much (but not all!) of the related literature in the statistics, databases, theory, and cryptography communities, in that a formal and ad omnia privacy guarantee is defined, and the data analysis techniques presented are rigorously proved to satisfy the guarantee. The key privacy guarantee that has emerged is differential privacy. Roughly speaking, this ensures that (almost, and quantifiably) no risk is incurred by joining a statistical database.

Dwork C. (2008) Differential Privacy: A Survey of Results. In: Agrawal M., Du D., Duan Z., Li A. (eds) Theory and Applications of Models of Computation. TAMC 2008. Lecture Notes in Computer Science, vol 4978. Springer, Berlin, Heidelberg {PDF}

Abstract of Robust de-anonymization of large sparse datasets

We present a new class of statistical de-anonymization attacks against high-dimensional micro-data, such as individual preferences, recommendations, transaction records and so on. Our techniques are robust to perturbation in the data and tolerate some mistakes in the adversary's background knowledge. We apply our de-anonymization methodology to the Netflix Prize dataset, which contains anonymous movie ratings of 500,000 subscribers of Netflix,the world's largest online movie rental service. We demonstrate that an adversary who knows only a little bit about an individual subscriber can easily identify this subscriber's record in the dataset. Using the Internet Movie Database as the source of background knowledge, we successfully identified the Netflix records of known users, uncovering their apparent political preferences and other potentially sensitive information.

Narayanan, A., & Shmatikov, V. (2008, May). Robust de-anonymization of large sparse datasets. In Security and Privacy, 2008. SP 2008. IEEE Symposium on (pp. 111-125). IEEE. {PDF}

Abstract of general survey of privacy-preserving data mining models and algorithms

In recent years, privacy-preserving data mining has been studied extensively, because of the wide proliferation of sensitive information on the internet. A number of algorithmic techniques have been designed for privacy-preserving data mining. In this paper, we provide a review of the state-of-the-art methods for privacy. We discuss methods for randomization, k-anonymization, and distributed privacy-preserving data mining. We also discuss cases in which the output of data mining applications needs to be sanitized for privacy-preservation purposes. We discuss the computational and theoretical limits associated with privacy-preservation over high dimensional data sets.

Aggarwal, C. C., & Philip, S. Y. (2008). A general survey of privacy-preserving data mining models and algorithms. In Privacy-preserving data mining (pp. 11-52). Springer US. {PDF}

Abstract of Protecting location privacy with personalized k-anonymity: Architecture and algorithms

Continued advances in mobile networks and positioning technologies have created a strong market push for location-based applications. Examples include location-aware emergency response, location-based advertisement, and location-based entertainment. An important challenge in the wide deployment of location-based services (LBSs) is the privacy-aware management of location information, providing safeguards for location privacy of mobile clients against vulnerabilities for abuse. This paper describes a scalable architecture for protecting the location privacy from various privacy threats resulting from uncontrolled usage of LBSs.

Gedik, B., & Liu, L. (2008). Protecting location privacy with personalized k-anonymity: Architecture and algorithms. IEEE Transactions on Mobile Computing, 7(1), 1-18. {PDF}

Abstract of Preserving privacy in social networks against neighborhood attacks

Recently, as more and more social network data has been published in one way or another, preserving privacy in publishing social network data becomes an important concern. With some local knowledge about individuals in a social network, an adversary may attack the privacy of some victims easily. Unfortunately, most of the previous studies on privacy preservation can deal with relational data only, and cannot be applied to social network data. In this paper, we take an initiative towards preserving privacy in social network data. We identify an essential type of privacy attacks: neighborhood attacks. If an adversary has some knowledge about the neighbors of a target victim and the relationship among the neighbors, the victim may be re-identified from a social network even if the victim's identity is preserved using the conventional anonymization techniques.

Zhou, B., & Pei, J. (2008, April). Preserving privacy in social networks against neighborhood attacks. In Data Engineering, 2008. ICDE 2008. IEEE 24th International Conference on (pp. 506-515). IEE {[2]}

2007

Abstract of L-diversity: Privacy beyond k-anonymity

In this article, we show using two simple attacks that a k-anonymized dataset has some subtle but severe privacy problems. First, an attacker can discover the values of sensitive attributes when there is little diversity in those sensitive attributes. This is a known problem. Second, attackers often have background knowledge, and we show that k-anonymity does not guarantee privacy against attackers using background knowledge. We give a detailed analysis of these two attacks, and we propose a novel and powerful privacy criterion called ℓ-diversity that can defend against such attacks. In addition to building a formal foundation for ℓ-diversity, we show in an experimental evaluation that ℓ-diversity is practical and can be implemented efficiently.

Ashwin Machanavajjhala, Daniel Kifer, Johannes Gehrke, and Muthuramakrishnan Venkitasubramaniam. 2007. L-diversity: Privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data 1, 1, Article 3 (March 2007). DOI=10.1145/1217299.1217302


Abstract of Mechanism design via differential privacy

We study the role that privacy-preserving algorithms, which prevent the leakage of specific information about participants, can play in the design of mechanisms for strategic agents, which must encourage players to honestly report information. Specifically, we show that the recent notion of differential privacv, in addition to its own intrinsic virtue, can ensure that participants have limited effect on the outcome of the mechanism, and as a consequence have limited incentive to lie. More precisely, mechanisms with differential privacy are approximate dominant strategy under arbitrary player utility functions, are automatically resilient to coalitions, and easily allow repeatability.

McSherry, F., & Talwar, K. (2007, October). Mechanism design via differential privacy. In Foundations of Computer Science, 2007. FOCS'07. 48th Annual IEEE Symposium on (pp. 94-103). IEEE. {PDF}

2006

Abstract of Calibrating noise to sensitivity in private data analysis

We continue a line of research initiated in on privacy-preserving statistical databases.Consider a trusted server that holds a database of sensitive information. Given aquery function f mapping databases to reals, the so-called true answer is the result of applying f to the database. To protect privacy, the true answer is perturbed by the addition of random noise generated according to a carefully chosen distribution, and this response, the true answer plus noise, is returned to the user.

Dwork, C., McSherry, F., Nissim, K., & Smith, A. (2006, March). Calibrating noise to sensitivity in private data analysis. In TCC (Vol. 3876, pp. 265-284) {PDF}

Abstract of RFID security and privacy: A research survey

This paper surveys recent technical research on the problems of privacy and security for radio frequency identification (RFID). RFID tags are small, wireless devices that help identify objects and people. Thanks to dropping cost, they are likely to proliferate into the billions in the next several years-and eventually into the trillions. RFID tags track objects in supply chains, and are working their way into the pockets, belongings, and even the bodies of consumers. This survey examines approaches proposed by scientists for privacy protection and integrity assurance in RFID systems, and treats the social and technical context of their work. While geared toward the nonspecialist, the survey may also serve as a reference for specialist readers.

Juels, A. (2006). RFID security and privacy: A research survey. IEEE journal on selected areas in communications, 24(2), 381-394. {PDF}

Abstract of Anatomy: Simple and effective privacy preservation

This paper presents a novel technique, anatomy, for publishing sensitive data. Anatomy releases all the quasi-identifier and sensitive values directly in two separate tables. Combined with a grouping mechanism, this approach protects privacy, and captures a large amount of correlation in the microdata. We develop a linear-time algorithm for computing anatomized tables that obey the l-diversity privacy requirement, and minimize the error of reconstructing the microdata. Extensive experiments confirm that our technique allows significantly more effective data analysis than the conventional publication method based on generalization. Specifically, anatomy permits aggregate reasoning with average error below 10%, which is lower than the error obtained from a generalized table by orders of magnitude.

Xiaokui Xiao and Yufei Tao. 2006. Anatomy: simple and effective privacy preservation. In Proceedings of the 32nd international conference on Very large data bases (VLDB '06), Umeshwar Dayal, Khu-Yong Whang, David Lomet, Gustavo Alonso, Guy Lohman, Martin Kersten, Sang K. Cha, and Young-Kuk Kim (Eds.). VLDB Endowment 139-150. {PDF}

2005

Abstract of Information revelation and privacy in online social networks

Participation in social networking sites has dramatically increased in recent years. Services such as Friendster, Tribe, or the Facebook allow millions of individuals to create online profiles and share personal information with vast networks of friends - and, often, unknown numbers of strangers. In this paper we study patterns of information revelation in online social networks and their privacy implications. We analyze the online behavior of more than 4,000 Carnegie Mellon University students who have joined a popular social networking site catered to colleges. We evaluate the amount of information they disclose and study their usage of the site's privacy settings. We highlight potential attacks on various aspects of their privacy, and we show that only a minimal percentage of users changes the highly permeable privacy preferences.

Ralph Gross and Alessandro Acquisti. 2005. Information revelation and privacy in online social networks. In Proceedings of the 2005 ACM workshop on Privacy in the electronic society (WPES '05). ACM, New York, NY, USA, 71-80. DOI=10.1145/1102199.1102214

Abstract of Data privacy through optimal k-anonymization

Data de-identification reconciles the demand for release of data for research purposes and the demand for privacy from individuals. This paper proposes and evaluates an optimization algorithm for the powerful de-identification procedure known as k-anonymization. A k-anonymized dataset has the property that each record is indistinguishable from at least k - 1 others. Even simple restrictions of optimized k-anonymity are NP-hard, leading to significant computational challenges. We present a new approach to exploring the space of possible anonymizations that tames the combinatorics of the problem, and develop data-management strategies to reduce reliance on expensive operations such as sorting. Through experiments on real census data, we show the resulting algorithm can find optimal k-anonymizations under two representative cost measures and a wide range of k. We also show that the algorithm can produce good anonymizations in circumstances where the input data or input parameters preclude finding an optimal solution in reasonable time. Finally, we use the algorithm to explore the effects of different coding approaches and problem variations on anonymization quality and performance. To our knowledge, this is the first result demonstrating optimal k-anonymization of a non-trivial dataset under a general model of the problem.

Bayardo, R. J., & Agrawal, R. (2005, April). Data privacy through optimal k-anonymization. In Data Engineering, 2005. ICDE 2005. Proceedings. 21st International Conference on (pp. 217-228). IEEE. {URL}

Abstract of Privacy preserving keyword searches on remote encrypted data

We consider the following problem: a user U wants to store his files in an encrypted form on a remote file server S.Latertheuser U wants to efficiently retrieve some of the encrypted files containing (or indexed by) specific keywords, keeping the keywords themselves secret and not jeopardizing the security of the remotely stored files. For example, a user may want to store old e-mail messages encrypted on a server managed by Yahoo or another large vendor, and later retrieve certain messages while travelling with a mobile device.

Chang, Y. C., & Mitzenmacher, M. (2005, June). Privacy preserving keyword searches on remote encrypted data. In ACNS (Vol. 5, pp. 442-455). {PDF }

Abstract of Privacy and rationality in individual decision making

Traditional theory suggests consumers should be able to manage their privacy. Yet, empirical and theoretical research suggests that consumers often lack enough information to make privacy-sensitive decisions and, even with sufficient information, are likely to trade off long-term privacy for short-term benefits.

Acquisti, A., & Grossklags, J. (2005). Privacy and rationality in individual decision making. IEEE Security & Privacy, 3(1), 26-33. {PDF}

Abstract of Location privacy in mobile systems: A personalized anonymization model

This paper describes a personalized k-anonymity model for protecting location privacy against various privacy threats through location information sharing. Our model has two unique features. First, we provide a unified privacy personalization framework to support location k-anonymity for a wide range of users with context-sensitive personalized privacy requirements. This framework enables each mobile node to specify the minimum level of anonymity it desires as well as the maximum temporal and spatial resolutions it is willing to tolerate when requesting for k-anonymity preserving location-based services (LBSs). Second, we devise an efficient message perturbation engine which runs by the location protection broker on a trusted server and performs location anonymization on mobile users' LBS request messages, such as identity removal and spatio-temporal cloaking of location information. We develop a suite of scalable and yet efficient spatio-temporal cloaking algorithms, called CliqueCloak algorithms, to provide high quality personalized location k-anonymity, aiming at avoiding or reducing known location privacy threats before forwarding requests to LBS provider(s).

Gedik, B., & Liu, L. (2005, June). Location privacy in mobile systems: A personalized anonymization model. In Distributed computing systems, 2005. ICDCS 2005. Proceedings. 25th IEEE international conference on (pp. 620-629). IEEE. {PDF}

2004

Abstract of Security and privacy aspects of low-cost radio frequency identification systems

Like many technologies, low-cost Radio Frequency Identification (RFID) systems will become pervasive in our daily lives when affixed to everyday consumer items as ”smart labels”. While yielding great productivity gains, RFID systems may create new threats to the security and privacy of individuals or organizations. This paper presents a brief description of RFID systems and their operation. We describe privacy and security risks and how they apply to the unique setting of low-cost RFID devices. We propose several security mechanisms and suggest areas for future research.

Weis S.A., Sarma S.E., Rivest R.L., Engels D.W. (2004) Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In: Hutter D., Müller G., Stephan W., Ullmann M. (eds) Security in Pervasive Computing. Lecture Notes in Computer Science, vol 2802. Springer, Berlin, Heidelberg {PDF}

Abstract of State-of-the-art in privacy preserving data mining

We provide here an overview of the new and rapidly emerging research area of privacy preserving data mining. We also propose a classification hierarchy that sets the basis for analyzing the work which has been performed in this context. A detailed review of the work accomplished in this area is also given, along with the coordinates of each work to the classification hierarchy. A brief evaluation is performed, and some initial conclusions are made.

Vassilios S. Verykios, Elisa Bertino, Igor Nai Fovino, Loredana Parasiliti Provenza, Yucel Saygin, and Yannis Theodoridis. 2004. State-of-the-art in privacy preserving data mining. SIGMOD Rec. 33, 1 (March 2004), 50-57. DOI=10.1145/974121.974131

Abstract of An architecture for privacy-sensitive ubiquitous computing

Privacy is the most often-cited criticism of ubiquitous computing, and may be the greatest barrier to its long-term success. However, developers currently have little support in designing software architectures and in creating interactions that are effective in helping end-users manage their privacy. To address this problem, we present Confab, a toolkit for facilitating the development of privacy-sensitive ubiquitous computing applications. The requirements for Confab were gathered through an analysis of privacy needs for both end-users and application developers. Confab provides basic support for building ubiquitous computing applications, providing a framework as well as several customizable privacy mechanisms. Confab also comes with extensions for managing location privacy. Combined, these features allow application developers and end-users to support a spectrum of trust levels and privacy needs.

Jason I. Hong and James A. Landay. 2004. An architecture for privacy-sensitive ubiquitous computing. In Proceedings of the 2nd international conference on Mobile systems, applications, and services (MobiSys '04). ACM, New York, NY, USA, 177-189. DOI=10.1145/990064.990087

2003

Abstract of Limiting privacy breaches in privacy preserving data mining

There has been increasing interest in the problem of building accurate data mining models over aggregate data, while protecting privacy at the level of individual records. One approach for this problem is to randomize the values in individual records, and only disclose the randomized values. The model is then built over the randomized data, after first compensating for the randomization (at the aggregate level). This approach is potentially vulnerable to privacy breaches: based on the distribution of the data, one may be able to learn with high confidence that some of the randomized records satisfy a specified property, even though privacy is preserved on average.In this paper, we present a new formulation of privacy breaches, together with a methodology, "amplification", for limiting them. Unlike earlier approaches, amplification makes it is possible to guarantee limits on privacy breaches without any knowledge of the distribution of the original data. We instantiate this methodology for the problem of mining association rules, and modify the algorithm from [9] to limit privacy breaches without knowledge of the data distribution. Next, we address the problem that the amount of randomization required to avoid privacy breaches (when mining association rules) results in very long transactions. By using pseudorandom generators and carefully choosing seeds such that the desired items from the original transaction are present in the randomized transaction, we can send just the seed instead of the transaction, resulting in a dramatic drop in communication and storage cost. Finally, we define new information measures that take privacy breaches into account when quantifying the amount of privacy preserved by randomization.

Alexandre Evfimievski, Johannes Gehrke, and Ramakrishnan Srikant. 2003. Limiting privacy breaches in privacy preserving data mining. In Proceedings of the twenty-second ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems (PODS '03). ACM, New York, NY, USA, 211-222. DOI=10.1145/773153.773174

Abstract of Security and privacy in sensor networks

Sensor networks offer economically viable solutions for a variety of applications. For example, current implementations monitor factory instrumentation, pollution levels, freeway traffic, and the structural integrity of buildings. Other applications include climate sensing and control in office buildings and home environmental sensing systems for temperature, light, moisture, and motion. Sensor networks are key to the creation of smart spaces, which embed information technology in everyday home and work environments. The miniature wireless sensor nodes, or motes, developed from low-cost off-the-shelf components at the University of California, Berkeley, as part of its smart dust projects, establish a self-organizing sensor network when dispersed into an environment. The privacy and security issues posed by sensor networks represent a rich field of research problems. Improving network hardware and software may address many of the issues, but others will require new supporting technologies.

Chan, H., & Perrig, A. (2003). Security and privacy in sensor networks. computer, 36(10), 103-105. {PDF}

Abstract of Privacy-preserving k-means clustering over vertically partitioned data

Privacy and security concerns can prevent sharing of data, derailing data mining projects. Distributed knowledge discovery, if done correctly, can alleviate this problem. The key is to obtain valid results, while providing guarantees on the (non)disclosure of data. We present a method for k-means clustering when different sites contain different attributes for a common set of entities. Each site learns the cluster of each entity, but learns nothing about the attributes at other sites.

Jaideep Vaidya and Chris Clifton. 2003. Privacy-preserving k-means clustering over vertically partitioned data. In Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining (KDD '03). ACM, New York, NY, USA, 206-215. DOI=10.1145/956750.956776

Abstract of Consumer privacy: Balancing economic and justice considerations

Consumer privacy is at the center of an ongoing debate among business leaders, privacy activists, and government officials. Although corporations face competitive pressures to collect and use personal information about their customers, many consumers find some methods of collection and use of their personal information unfair. We present a justice theory framework that illustrates how consumer privacy concerns are shaped by the perceived fairness of corporate information practices. We describe a set of global principles, fair information practices, which were developed to balance consumer privacy concerns with an organization's need to use personal information. We conclude by discussing three alternatives for implementing fair information practices with particular attention to the Internet: government regulation, industry self-regulation, and technological solutions.

Culnan, M. J., & Bies, R. J. (2003). Consumer privacy: Balancing economic and justice considerations. Journal of social issues, 59(2), 323-342. {URL}

2002

Abstract of k-anonymity: A model for protecting privacy

Consider a data holder, such as a hospital or a bank, that has a privately held collection of person-specific, field structured data. Suppose the data holder wants to share a version of the data with researchers. How can a data holder release a version of its private data with scientific guarantees that the individuals who are the subjects of the data cannot be re-identified while the data remain practically useful? The solution provided in this paper includes a formal protection model named k-anonymity and a set of accompanying policies for deployment. A release provides k-anonymity protection if the information for each person contained in the release cannot be distinguished from at least k-1 individuals whose information also appears in the release. This paper also examines re-identification attacks that can be realized on releases that adhere to k-anonymity unless accompanying policies are respected. The k-anonymity protection model is important because it forms the basis on which the real-world systems known as Datafly, μ-Argus and k-Similar provide guarantees of privacy protection.

Sweeney, L. (2002). k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05), 557-570.{PDF}

Abstract of Tools for privacy preserving distributed data mining

Privacy preserving mining of distributed data has numerous applications. Each application poses different constraints: What is meant by privacy, what are the desired results, how is the data distributed, what are the constraints on collaboration and cooperative computing, etc. We suggest that the solution to this is a toolkit of components that can be combined for specific privacy-preserving data mining applications. This paper presents some components of such a toolkit, and shows how they can be used to solve several privacy-preserving data mining problems.

Chris Clifton, Murat Kantarcioglu, Jaideep Vaidya, Xiaodong Lin, and Michael Y. Zhu. 2002. Tools for privacy preserving distributed data mining. SIGKDD Explor. Newsl. 4, 2 (December 2002), 28-34. DOI=10.1145/772862.772867

Abstract of Transforming data to satisfy privacy constraints

Data on individuals and entities are being collected widely. These data can contain information that explicitly identifies the individual (e.g., social security number). Data can also contain other kinds of personal information (e.g., date of birth, zip code, gender) that are potentially identifying when linked with other available data sets. Data are often shared for business or legal reasons. This paper addresses the important issue of preserving the anonymity of the individuals or entities during the data dissemination process. We explore preserving the anonymity by the use of generalizations and suppressions on the potentially identifying portions of the data. We extend earlier works in this area along various dimensions. First, satisfying privacy constraints is considered in conjunction with the usage for the data being disseminated. This allows us to optimize the process of preserving privacy for the specified usage. In particular, we investigate the privacy transformation in the context of data mining applications like building classification and regression models. Second, our work improves on previous approaches by allowing more flexible generalizations for the data. Lastly, this is combined with a more thorough exploration of the solution space using the genetic algorithm framework. These extensions allow us to transform the data so that they are more useful for their intended purpose while satisfying the privacy constraints.

Vijay S. Iyengar. 2002. Transforming data to satisfy privacy constraints. In Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining (KDD '02). ACM, New York, NY, USA, 279-288. DOI=10.1145/775047.775089

Abstract of Privacy preserving data mining

In this paper we address the issue of privacy preserving data mining. Specifically, we consider a scenario in which two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. Our work is motivated by the need both to protect privileged information and to enable its use for research or other purposes.

Lindell, Y., & Pinkas, B. (2002). Privacy preserving data mining. Journal of cryptology, 15(3). {PDF}

2000

Abstract of Privacy-preserving data mining

A fruitful direction for future data mining research will be the development of techniques that incorporate privacy concerns. Specifically, we address the following question. Since the primary task in data mining is the development of models about aggregated data, can we develop accurate models without access to precise information in individual data records? We consider the concrete case of building a decision-tree classifier from training data in which the values of individual records have been perturbed. The resulting data records look very different from the original records and the distribution of data values is also very different from the original distribution. While it is not possible to accurately estimate original values in individual data records, we propose a novel reconstruction procedure to accurately estimate the distribution of original data values. By using these reconstructed distributions, we are able to build classifiers whose accuracy is comparable to the accuracy of classifiers built with the original data.

Rakesh Agrawal and Ramakrishnan Srikant. 2000. Privacy-preserving data mining. In Proceedings of the 2000 ACM SIGMOD international conference on Management of data (SIGMOD '00). ACM, New York, NY, USA, 439-450. DOI=dl.acm.org/citation.cfm?id=335438

Abstract of Privacy preserving data mining

In this paper we introduce the concept of privacy preserving data mining. In our model, two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. This problem has many practical and important applications, such as in medical research with confidential patient records

Agrawal, R., & Srikant, R. (2000, May). Privacy-preserving data mining. In ACM Sigmod Record (Vol. 29, No. 2, pp. 439-450). ACM. {PDF}

1999

Abstract of Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation

This research addresses the tensions that arise between the collection and use of personal information that people provide in the course of most consumer transactions, and privacy. In today's electronic world, the competitive strategies of successful firms increasingly depend on vast amounts of customer data. Ironically, the same information practices that provide value to organizations also raise privacy concerns for individuals. This study hypothesized that organizations can address these privacy concerns and gain business advantage through customer retention by observing procedural fairness: customers will be willing to disclose personal information and have that information subsequently used to create consumer profiles for business use when there are fair procedures in place to protect individual privacy. Because customer relationships are characterized by social distance, customers must depend on strangers to act on their behalf. Procedural fairness serves as an intermediary to build trust when interchangeable organizational agents exercise considerable delegated power on behalf of customers who cannot specify or constrain their behavior. Our hypothesis was supported as we found that when customers are explicitly told that fair information practices are employed, privacy concerns do not distinguish consumers who are willing to be profiled from those who are unwilling to have their personal information used in this way.

Culnan, M. J., & Armstrong, P. K. (1999). Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation. Organization science, 10(1), 104-115. {PDF}

1989

Abstract of Protecting privacy in surveillance societies

The introduction discusses the emergence of surveillance societies, followed by five case studies of surveillance and privacy protection in each of the five countries. The focus is on the work of the officials charged with protecting privacy in each country, whether through formal agencies such as exist in Sweden, Canada, France, and the Federal Republic of Germany, or civil servants administering privacy laws at the Federal level such as in the United States. The information presented is drawn from government documents and interviews with agencies' leaders and staff during the 1980's. Each case study explores the data protection model adopted by the country and the model's organizing principles and practical application.

Flaherty, D. H. (1989). Protecting privacy in surveillance societies (p. 306). Chapel Hill: University of North Carolina Press. {URL}

1978

Abstract of data banks and privacy homomorphisms

Encryption is a well—known technique for preserving the privacy of sensitive information. One of the basic,apparently inherent,limitations of this technique is that an information system working with encrypted data can at most store or retrieve the data for the user;any more complicated operations seem to require that the data be decrypted before being operated on.

Rivest, R. L., Adleman, L., & Dertouzos, M. L. (1978). On data banks and privacy homomorphisms. Foundations of secure computation, 4(11), 169-180. {PDF}